A blog about reverse engineering, mathematics, politricks and some more ...

Sunday, January 12, 2014

Why Intelligence Reform is necessary

This is the first part of a two-part blog post on the need for intelligence reform.

Why do I even feel entitled to an opinion?

I have been dealing with the technical side of computer network attacks for more than 15 years, and have written exploits for about as long as the now-famous "tailored access operations" team inside NSA has existed. Many people consider me to be an expert on all things related to reverse engineering and exploitation. Through my work, I have had as much as exposure to government-organized hacking as you can have without getting a clearance. I understand this stuff, and as a firm believer in the ability of democracies to right themselves through informed debate, I feel the need to stray from my usual technical stomping grounds and talk about politics.

Over the years, I have met and talked with a number of people that used to work in, or close to, the intelligence community. I have found the vast majority of them to be conscientious, hard-working, idealistic (after all, pay in the government sector is often significantly below the private sector, so a sense of duty plays a large role), and overall good people. In political discussions, we had more commonalities than disagreements. Politically, while I am slightly left-of-center on many political questions, I am a defense and intelligence hawk (at least by European standards) - I do believe that intelligence agencies have a legitimate role to play in both foreign policy and counter-terrorism, and I am aware enough of the realities of international law that mean that countries that neglect their defense and intelligence organizations do so at their own peril.

At the same time, having grown up in a country more heavily burdened by historical abuse of state security institutions than most, and in a region of the world where - in living memory - many countries lost 5-10%+ of their entire population in wars fueled by nationalist ideals, I am instinctively worried about concentrating excessive powers in state security institutions. I am also easily alarmed by nationalist thoughts and ideology.

The Snowden revelations, but much more so the reactions to the Snowden revelations, have caused me to think about the implications of the technological changes we are in the midst of - for both society and surveillance. I conclude that our societies need a reform of the legal frameworks for signals intelligence in a digitized world - not only in the English-speaking countries, but also in all those countries that aspire to obtain the same capabilities.

Policy ideas are always the result of a combination of practical considerations and personal ideology. In order to be transparent with my personal ideology, I should explain as much of it as possible before delving into my ideas for reform. To do this, I will address a few common arguments that I have encountered that express incredulity at the public outrage, and explain why I think the outrage is (partially) justified.

"The Russians and Chinese are much worse, so where's the outrage about them?"

People are outraged at the disclosures about widespread espionage by English-speaking countries while they are not outraged by Russian or Chinese espionage because people expect different behavior from friends than from adversaries. Most of the world considers the English-speaking countries to be committed to principles of democracy, justice, and fairness. When dealing with them, these countries are treated as friends and allies. Nobody in central Europe for example is worried about a US invasion, while a faint fear of Russian invasion is never far away.

Expectations are different when it comes to Russia or China: These countries have such an abysmal record of human rights; such an abysmal record when it comes to questions of the rule of law that nobody expects anything from them. Russia is, for all purposes, treated as an aging and wounded bear, unpredictable but still dangerous. China is even compared to 1910-1914 Germany in the current issue of "The Economist", hardly a flattering comparison.

In short, it is entirely normal to expect different behavior from your friends than from your enemies or rivals. Having your apartment burgled by a known criminal gang is one thing, having your friend, whom you had over for dinner repeatedly, burgle your apartment, is a very different thing.

"We do not violate the privacy of our own citizens, and everything we do is outside our territory, so what's the damage?"

The problem with this argument is a discrepancy between the legalistic interpretation of the constitution and the emotional interpretation of the constitution - a discrepancy between "the letter of the law" and "the spirit of the law".

A constitution is aspirational - it outlines the basic principles and values to which a society aspires. These principles are universally recognized by a country's population as "the right thing to do".

In practice, though, the US cannot reasonably grant the rights in the 4th Amendment to people living in China, and Germany could not enforce the constitutionally guaranteed equality of all humans in apartheid-era South Africa. As a result, Constitutional rights end at borders. It is important to keep in mind, though, that this is not because we think that Chinese do not deserve protection from unreasonable search & seizure, or because we think that Freedom of Speech should not apply outside of our borders - but only because we are in no practical position to grant rights to someone living under the jurisdiction of another government. (There is the other matter that we'd violate international law, but if history is any guide, international law does not exist unless the strongest player wants to enforce it).

Nobody extends their constitutions across their borders because it would mean intervening in other countries. But the principles in the constitution are good principles, and we should try to adhere to them wherever possible. We cannot force the Chinese government to allow Freedom of Speech in China, but that does not mean that it would be OK for us to further suppress Freedom of Speech there - just because China happens to be outside of our borders.

Secondly, there is the Universal Declaration of Human Rights. This is as close to an universal constitution as humanity has gotten, and it explicitly mentions in article 12:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

The UDHR is a good document, and one that all important powers signed after the atrocities of the two world wars. The US was a driving force in drafting it and getting it ratified - why are we completely ignoring it now, arguing that any privacy protections do not apply to non-citizen outside of our territory?

"Corporations collect vastly more data, and they are not under democratic control."

There is an important bit of truth in this statement: Corporations are collecting ever-more data, and it is quite unclear whether existing legal frameworks are sufficient to protect privacy. In my personal opinion, all developed nations should pass legislation that enforces something similar to the OECD's "seven principles for the protection of personal data", and hold companies accountable for this. People need to understand what data is collected, for what purpose, and have wide-ranging ability to inspect, edit and delete the collected data.

At the same time, the argument that insufficient legal oversight in one area justifies insufficient legal oversight in another area is clearly wrong. Both areas, corporate and government data collection, need to have their oversight fixed.

"Sufficient controls are in place to prevent abuse of power"

I'd be strongly inclined to believe this argument - but there are two important points that we should keep in mind. First off, checks and safety procedures are hardly ever perfect, and tend to erode in times of crisis. One could say that most democracies are two terror strikes and one opportunist away from a dictatorship, and safeguards are much more quickly eroded than they are rebuilt. Democratic societies need to stay in constant debate about where the limits of surveillance are supposed to lie.

I believe that today the controls in the US are sufficient to prevent the most egregious abuse of power. I do not have much faith, though, that they would survive one major terrorist strike combined with a wrongly ambitious president or vice president.

Legal safeguards in a democracy buy you time. If you elect a madman, dismantling the safeguards will take him some time. Hopefully, the safeguards take longer than 8 years to dismantle. Being a security-minded person, I'd like to have some margin of error on this.

The second point to consider is that of "creeping abuse". Post 9/11, exceptional powers were granted to the security apparatus to protect our societies from further terrorist strikes. These powers were explicitly granted for counter-terrorism. The natural inclination of the security apparatus is then to slowly and carefully widen the definition of terrorism. We can see this in action: Glenn Greenwald's partner, David Miranda was detained under legislation explicitly drafted for counter-terrorism - using rights only granted for fighting terrorists that are bent on mass killing, which Mr Miranda was clearly not about to do. We have also watched Mr Clapper publicly twisting the meaning of the word "collection" until it implied that a stamp collector doesn't collect stamps unless he looks at them.

In short: I am uncomfortable with what I perceive is an insufficiently wide safety margin against abuse - and we have all seen an abuse of anti-terror legislation for an entirely unrelated cause, that of self-defense of the security organizations against embarrassment. We need much stronger safeguards, and much more transparency.

"Spies spy, why are people surprised?"

I am not surprised, or even particularly worried, about state-to-state espionage. My opinion on this is that where matters are truly vital (nuclear proliferation, questions of war and peace etc.) intelligence collection should lead to better-informed leaders and hopefully peaceful outcomes.

My ethics dictate that strength should not be abused - e.g. I would consider it unethical by a strong developed nation to use espionage against a weak developing country to get a leg up in trade negotiations - but in general, nobody is surprised or outraged that the people in the White House want to know what the leaders in Tehran are thinking, and vice versa.

People are surprised because governments everywhere have been hesitant to explain to their own population what exactly intelligence agencies do. Similar to internet companies that hide the true extent of data collection in a gigantic EULA that no user understands, governments everywhere "hide" what these agencies do in plain sight: Large quantities of dispersed legalese and vague formulations.

Democratic governments need to become better at explaining what these agencies are for and what the exact authorities and limitations of these agencies are. Voters can then decide if they are cool with that. The historical tendency to hide these organisations from public view is wrong, antidemocratic, and ultimately harmful to both the democracies and the mission of these organisations.

"Everybody does it and has always done it!"

One could easily get into an argument about whether this statement is true or not - historically, many countries (including the US) only performed intercept and cryptanalysis during times of war. Then again, politicians tried to disband signals intelligence (SIGINT) organisations, these organisations had a tendency to be conserved elsewhere in the bureaucracy. So even if we accept that SIGINT collection in times of peace is an unchangeable fact of life, the nature of collection has changed significantly in recent decades.

Even during the height of the cold war, when the US had all its ears focused on Russia, the odds that some random Russian person had their communication intercepted and archived by the US were near-zero.

The technological explosion we're living in changed this: International communication has grown exponentially, and it is likely that the majority of the population of most industrialized nations have participated in communications that were intercepted (if not necessarily read by a human being).

This is a radical change. Technology has amplified everybody's ability to communicate, but also created a society where virtually everybody's data has been touched by one, if not more, security organisations - both domestic and foreign. The legal framework has simply been outpaced by technological progress, and the security agencies have been extremely happy to not draw attention to this.

This new reality needs to be addressed - not only in the countries that were hit by the recent revelations, but in all modern democracies (many of which have even weaker oversight over their intelligence agencies than the famous "5 eyes").

Summary:

Technology has changed the world, vastly expanding everybody's ability to communicate - but at the same time, also vastly expanding not only the potential for surveillance, but actual surveillance.

Intelligence collection should not be done "in bulk" - a regular person should have negligible odds of ever having their communication intercepted and archived.

Intelligence reform is needed - in all modern democracies - to ensure that people can have privacy, to combat the mistaken view that "all is fair if it's not on my territory", and to strengthen the safeguards against abuse.

My next post will talk a bit more about what reforms should be enacted, and what may happen if we fail to act.

4 comments:

Regarding Corporations, I want to add that sometimes this reduces to "People post lots of things to Facebook so why shouldn't the government be able to collect their phone records?" In fact, in the US the Fourth Amendment concept of the Third Party Doctrine treats any business record held by any third party as if it had been posted on the open Internet, for the purposes of government access. This oversimplification is worth addressing.

People choose what they post to Facebook and there are things they choose not to post. Financial and telecom records often contain information that isn't on Facebook, and the conscious decision that people make not to put it all there is important.

Furthermore, the third parties aren't all working together. One company may have, out of necessity, some fragment of my life, but the picture that is created by aggregating together all of the data from all of the different corporations that I deal with is different from the picture that each company has on its own.

Finally, people expect Corporations to use the business records that they have strictly for business purposes. Often, privacy policies contractually prohibit corporations from sharing the records that they have with third parties, but for some reason our concept of government access functions as if those contractual relationships didn't exist or don't matter to people. The government's use for these business records isn't a benign effort to make my life more convenient or even advertise to me - they are watching me in order to see if I've done anything that they don't like. Their application for my data is necessarily a threat to me, not a benefit, so it has an entirely different character than the purpose for which it was originally collected. (The idea that I benefit from protection from terrorism is a canard that gets raised here. Thats an argument for targeted surveillance, not bulk surveillance. My data is not used to protect me. My data is used to investigate me.)

In the intelligence context its incredibly important to recognize that one need not have done anything wrong in order to interesting to an intel agency. Often, intel agonies use secrets that don't represent criminal activity but that are merely embarrassing in order to blackmail people. Sometimes, particularly in the political context, the purpose of intelligence surveillance is to convey a strategic advantage to one's adversaries by providing them with private information about your associations, plans, and negotiating positions.

While a respect for human rights demands that we consider the privacy interests of people everywhere, intelligence surveillance is particularly dangerous when it is used domestically, as it has the potential to neutralize legitimate domestic political movements that stand in opposition to the views of the party in power. In that sense, it can undermine democracy. There is a serious allegation that it was used to this effect in the United States in the late 1960's in order to marginalize opposition to the war in Vietnam, and there are well informed observers such as Mary Wheeler who have raised the concern that the domestic telecom meta-data surveillance program in the United States may have targeted opposition to the second Iraq war. The use of surveillance in the former East Germany provides a clear example of how dangerous this can be.

Regarding Corporations, I want to add that sometimes this reduces to "People post lots of things to Facebook so why shouldn't the government be able to collect their phone records?" In fact, in the US the Fourth Amendment concept of the Third Party Doctrine treats any business record held by any third party as if it had been posted on the open Internet, for the purposes of government access. This oversimplification is worth addressing.

People choose what they post to Facebook and there are things they choose not to post. Financial and telecom records often contain information that isn't on Facebook, and the conscious decision that people make not to put it all there is important.

Furthermore, the third parties aren't all working together. One company may have, out of necessity, some fragment of my life, but the picture that is created by aggregating together all of the data from all of the different corporations that I deal with is different from the picture that each company has on its own.

Finally, people expect Corporations to use the business records that they have strictly for business purposes. Often, privacy policies contractually prohibit corporations from sharing the records that they have with third parties, but for some reason our concept of government access functions as if those contractual relationships didn't exist or don't matter to people. The government's use for these business records isn't a benign effort to make my life more convenient or even advertise to me - they are watching me in order to see if I've done anything that they don't like. Their application for my data is necessarily a threat to me, not a benefit, so it has an entirely different character than the purpose for which it was originally collected. (The idea that I benefit from protection from terrorism is a canard that gets raised here. Thats an argument for targeted surveillance, not bulk surveillance. My data is not used to protect me. My data is used to investigate me.)

In the intelligence context its incredibly important to recognize that one need not have done anything wrong in order to interesting to an intel agency. Often, intel agonies use secrets that don't represent criminal activity but that are merely embarrassing in order to blackmail people. Sometimes, particularly in the political context, the purpose of intelligence surveillance is to convey a strategic advantage to one's adversaries by providing them with private information about your associations, plans, and negotiating positions.

While a respect for human rights demands that we consider the privacy interests of people everywhere, intelligence surveillance is particularly dangerous when it is used domestically, as it has the potential to neutralize legitimate domestic political movements that stand in opposition to the views of the party in power. In that sense, it can undermine democracy. There is a serious allegation that it was used to this effect in the United States in the late 1960's in order to marginalize opposition to the war in Vietnam, and there are well informed observers such as Mary Wheeler who have raised the concern that the domestic telecom meta-data surveillance program in the United States may have targeted opposition to the second Iraq war. The use of surveillance in the former East Germany provides a clear example of how dangerous this can be.

i enjoyed reading the first part of your blog (over a beer) and cannot agree with what you have said so far. I look forward to the second part of this blog but i am extremely skeptical that any effective reform will be carried out. I'm more inclined towards educating the masses on leveraging technology to protect themselves. Technology cuts both ways and is a great catalyst for empowerment.

About Me

I like simple things. And complex things. And drinking beer with people like Fyodor Yarochkin.
I like South America. And some parts of Asia, specifically Kuala Lumpur.
I like French. I like Spanish. I'd like to like more languages.